-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
public_key:pkix_path_validation
fails validation of certs expiring later than 2050
#6403
Comments
public_key:pkix_path_validation
fails validation of certs expiring in 2069public_key:pkix_path_validation
fails validation of certs expiring later than 2050
I agree that we should change the implementation to use rolling window method. |
Although the sliding window expects that you have no older certs than 50 years back, this seems not to be working out for your example. validity = So we get NotBefore: 2070, NotAfter: 2069. But I guess you wanted NotBefore: 1970, NotAfter:2069. |
The best of course is to make new certs adhere to the new date-format so that we do not have to guess! |
…te-validation/GH-6403/OTP-18356 Improve `public_key:pkix_path_validation` to allow certificates that expire after 2050 OTP-18356
Closed by PR #6542 |
…te-validation/GH-6403/OTP-18356 public_key: fix pre2000 test with change of year 2023
Describe the bug
When a certificate contains a
notAfter
attribute withutcTime
and69
as year, the current implementation interprets69
as1969
and thus fails validation.To Reproduce
Will yield
{error,{bad_cert,cert_expired}}
Expected behavior
Certificate validation should succeed, and the
69
component of the certificate attributenotAfter
should be interpreted as2069
instead of1969
.Affected versions
Erlang/OTP 25 [erts-13.0.2]
Additional context
This is due to the implementation of
validate_time
insidepublic_key.erl
. The implementation uses the simple method instead of the rolling window method reported in https://www.oss.com/asn1/resources/books-whitepapers-pubs/larmouth-asn1-book.pdf(page 91).
The text was updated successfully, but these errors were encountered: